Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Q & A

 

Q&A: NIST’s new ‘Enterprise Risk Management’ guidelines push cyber risks to board level

By Byron V. Acohido

Enterprise risk management (ERM) is a comparatively new corporate discipline. The basic notion is that in today’s complex operating environment, it is important for businesses to proactively identify operational hazards and have a plan in place to account for them.

Related: Poll shows senior execs get cybersecurity

A hazard is anything that can interfere with a company meeting its objectives; it could be something physical, such as a fire, a theft or a natural disaster; or it could  be an abstract risk, such as a lawsuit or a regulatory fine.

As part of its role promoting cybersecurity best practices, the National Institute of Standards and Technology (NIST) has stepped forward to make sure complex and expanding cybersecurity exposures become part and parcel of evolving ERM frameworks.

NIST has been getting positive feedback to draft guidelines it issued in late March which essentially serves as a roadmap for enterprises to account for complex cybersecurity exposures when implementing ERM strategies. The guidelines — NISTIR 8286, Integrating Cybersecurity and Enterprise Risk Management (ERM) – are specifically aimed at fostering the integration of cybersecurity risk management best practices and ERM frameworks.

The Internet Security Alliance (ISA) is a trade association and think tank whose members include prominent corporations in a wide cross section of industries. In February, ISA, in partnership with the National Association of Corporate Directors (NACD), published the 2020 edition of their Cyber-Risk Oversight Handbook for Corporate Boards.

ISA President Larry Clinton noted how well the trade groups’ handbook meshes with NIST’s new guidelines. “The NIST filing does an excellent job linking many of the principles directors have articulated as necessary for effective cybersecurity,” he says. “The NISTIR, like the NACD-ISA handbook, urges enterprises to utilize the modern models that are being developed to help organizations appropriately balance economic growth and cyber risk.”

I had the chance to drill down on this with … more

NEW TECH: Silverfort helps companies carry out smarter human and machine authentications

By Byron V. Acohido

Doing authentication well is vital for any company in the throes of digital transformation.

Digital commerce would fly apart if businesses could not reliably affirm the identities of all humans and all machines, that is, computing instances, that are constantly connecting to each other across the Internet.

Related: Locking down ‘machine identities’

At the moment, companies are being confronted with a two-pronged friction challenge, when it comes to authentication. On the one hand, they’re encountering crippling friction when attempting to migrate legacy, on-premises systems to the cloud. And on the other hand, there’s no authentication to speak of  – when there needs to be some — when it comes to machine-to-machine connections happening on the fly to make digital processes possible.

I had an enlightening discussion about this with Dana Tamir, vice president of market strategy for Silverfort, a Tel Aviv-based supplier of agentless multi-factor authentication technology. We spoke at RSA 2020. For a full drill down of the interview, please listen to the accompanying podcast. Here are excerpts, edited for clarity and length:

LW: Can you frame the authentication challenge companies face today?

Tamir: One of the biggest changes taking place is that there are many more remote users, many more employees bringing their own devices, and many more cloud resources are being used. This has basically dissolved the network perimeter. You can’t assume trust within the perimeter  because the perimeter doesn’t exist anymore.

And yet we know that threats exist everywhere, within our own environments, and out in the cloud. So that changes the way security needs to be applied, and how we authenticate our users. We now need to authenticate users everywhere, not only when they enter the network.

LW: What obstacles are companies running into with cloud migration?

SHARED INTEL: Threat actors add a human touch to boost effectiveness of automated attacks

By Byron V. Acohido

Trends in fashion and entertainment come and go. The same holds true for the cyber underground.

Related: Leveraging botnets to scale attacks

For a long while now, criminal hackers have relied on leveraging low-cost botnet services to blast out cyber attacks as far and wide as they could, indiscriminately. Over the past 18 months or so, a fresh trend has come into vogue. It essentially involves applying hands-on human cleverness to the task of extracting highest value from assets gained in the automated sweeps.

British antimalware and network security vendor Sophos refers to this new tactic as “automated, active attacks.” Sophos Senior Security Advisor John Shier broke it down for me. We met at Black Hat 2019. For a full drill down, give a listen to the accompanying podcast. Here are the key takeaways:

Human touch

It has long been common practice to use botnets to blast out wave after wave of e-mails carrying tainted PDFs or Word docs, or a web link pointing to a booby-trapped page – and seeing who would bite. Lately, progressive criminal rings are taking a page out of the playbook of nation-state sponsored APT strikes — by adding more human nuances to their attacks.

“They may discover their targets through some sort of automated technique, which gets them a toehold into the company, or they might just simply go to Shodan (search engine) to discover open, available RDP hosts,” Shier told me. “Once they’re in the front door, now the humans get involved.”

Related: How ransomware became a scourge

Specialists get assigned to poke around, locate key servers and find stealthy paths to send in more malware. They’ll take more manual steps to encrypt servers, exfiltrate data – or do both.

“Cyber criminals are getting into the environment, elevating privileges as much as they can and moving laterally to other segments of the network,” Shier says. “And then, instead of encrypting one … more

Q&A: Here’s why Android users must remain vigilant about malicious apps, more so than ever

By Byron V. Acohido

Android users – and I’m one – are well-advised to be constantly vigilant about the types of cyberthreats directed, at any given time, at the world’s most popular mobile device operating system.

Related: Vanquishing BYOD risks

Attacks won’t relent anytime soon, and awareness will help you avoid becoming a victim. It’s well worth it to stay abreast of news about defensive actions Google is forced to take to protect Android users. Just recently, for instance, the search giant removed 50 malicious apps, installed 30 million times, from the official Google Play Store, including fitness, photo-editing, and gaming apps.

And earlier this year, three popular “selfie beauty apps”– Pro Selfie Beauty Camera, Selfie Beauty Camera Pro and Pretty Beauty Camera 2019 – accessible in Google Play Store were revealed to actually be tools to spread adware and spyware. Each app had at least 500,000 installs, with Pretty Beauty Camera 2019 logging over 1 million installs, mainly by Android users in India.

Instructive details about both of these malicious campaigns come from malware analysts working on apklab.io, which officially launched in February. Apklab.io is Avast’s mobile threat intelligence platform designed to share intelligence gathered by analyzing samples collected from 145 million Android mobile devices in use worldwide.

I had the chance to sit down with Nikolaos Chrysaidos (pictured), head of mobile threat intelligence and security at Avast, to drill down on the wider context of the helpful findings apklabl.io has begun delivering. Here are excerpts of our discussion, edited for clarity and length:

Acohido: What was distinctive about the 50 malicious Android apps your analysts recently discovered?

Chrysaidos: The installations ranged from 5,000 to 5 million installs, and included adware that persistently displayed full screen ads, and in some cases, tried to convince the user to install further apps. The adware applications were linked together by the use of third-party Android libraries, which bypass the background service restrictions … more

Q&A: The drivers behind the stark rise — and security implications — of ‘memory attacks’

By Byron V. Acohido

A distinctive class of hacking is rising to the fore and is being leveraged by threat actors to carry out deep, highly resilient intrusions of well-defended company networks.

Related: Memory hacking becomes a go-to tactic

These attacks are referred to in the security community as “fileless attacks” or “memory attacks.” The latter conveys a more precise picture: memory hacking refers to a broad set of practices, which can include fileless attacks, that constitute this go-deep form of network break-ins.

I had the chance at RSA 2019 to discuss memory hacking with Willy Leichter, vice president of marketing, and Shauntinez Jakab, director of product marketing, at Virsec, a San Jose-based supplier of advanced application security and memory protection technologies.

They walked me through how threat actors are cleverly slipping snippets of malicious code past perimeter defenses and then executing their payloads  – undetected while applications are live, running in process memory.

For a long time, memory hacking was the exclusive province of nation-state backed operatives. But over the past couple of years, memory attacks have come into regular use by common cybercriminals. Garden-variety threat actors are now leveraging memory hacking tools and techniques to gain footholds, move laterally and achieve persistence deep inside well-defended networks.

For a comprehensive drill down, please view the accompanying YouTube video of my full interview with Leichter and Jakab at RSA 2019’s broadcast alley. Here are excerpts, edited for clarity and length:

LW: Can you frame this new class of hacking?

Q&A: Researchers find evidence of emerging market for stolen, spoofed machine identities

By Byron V. Acohido

It’s edifying what you can find shopping in the nether reaches of the dark web.

Related: Why government encryption backdoors should never be normalized.

Academic researchers from Georgia State University in the U.S. and the University of Surrey in the U.K. recently teamed up and found evidence of an emerging market for stolen and spoofed machine identities.

Specifically, the researchers found:

•A ready inventory of stolen SSL/TLS certificates, along with a range of related services and products, for sale, priced from $260 to $1,600, depending on the type of certificate offered and the scope of additional services.

•Extended validation certificates, packaged with services to support malicious websites, such as Google-indexed “aged” domains, after-sale support, web design services, and integration with a range of payment processors – including Stripe, PayPal and Square.

•A vendor offering to issue certificates from reputable Certificate Authorities (CAs), along with forged company documentation, as part of a package of services enabling an attacker to credibly present themselves as a trusted U.S. or U.K. company for less than $2,000.

This emerging black market for machine identities is but a mere starting point for cyber criminals who recognize a huge, unguarded exposure when they see one. Thus, threat actors have begun moving with alacrity to capitalize on it, before companies get around to protecting their exposed machine identity.

Repeated missteps

As a famous American sports hero once said, “It’s Déjà vu all over again.” In cobbling together our classic business networks, we did an imperfect job setting up privileged access for human users – and we continue to pay the price.  And yet, we are about to repeat the same missteps with respect to the over-privileging of non-human, or machine, identities.

Machine identities are what make hybrid business networks possible; they are nothing less than the key to stitching together emerging IoT- and 5G-centric systems. Think about the coming generation of smart homes, public venues, utilities and transportation … more

Q&A: How AI, digital transformation are shaking up revenue management in high tech, life sciences

By Byron V. Acohido

A recent poll of some 300 senior executives from U.S.-based life sciences and high-tech manufacturing companies sheds light on how digital transformation – and the rising role of third-party partners – have combined to create unprecedented operational challenges in the brave new world of digital commerce.

Related: AI one-upsmanship prevails in antivirus field

Model N’s 2019 State of Revenue Report surveyed CEOs, CMOs and senior sales executives from leading pharmaceutical, medical devices, high-tech manufacturing and semiconductor companies. Model N is a San Mateo, CA-based supplier of revenue management systems.

Some 78 percent of respondents said AI has altered the way they do revenue management,  while 69 percent identified digital transformation as a revenue management game changer. Meanwhile, some 90 percent of respondents reported reliance on 20 or more partners, while 70 percent said they work with 40 or more partners.

Model N’s study provides yet another perspective on the unprecedented complexities organizations must navigate to compete in an internet-centric business environment. The core challenge for just about any company seeking top line and bottom line growth boils down to solving two intricate puzzles: how to deploy advanced digital systems in just the right measure; and how to collaborate, effectively and securely, with third-party partners.

And, of course, this must be done while defending the company’s digital assets against rising cyber attacks, launched by skilled, determined threat actors.

With that in mind, Last Watchdog sat down with Model N CEO Jason Blessing to drill down on a few instructive findings from Model N’s poll — and connect the dots to some wider. Here are excerpts edited for clarity and length.

LW: How has the revenue generation landscape shifted over the past few years?